SpoofedMe

Dec 04, 2014 • Roee Hay

Or Peles (@peles_o) and I have discovered an impersonation attack on social login protocols (e.g. OAuth 1.0 / 2.0 used for authentication) based on a combination of an implementation vulnerability existing in some identity providers (e.g. LinkedIn, which has fixed the issue) and a known design problem in the relying (third-party) website side.

The identity provider vulnerability is allowing the use of unverified email in the social login authentication process, making it possible for an adversary to fake ownership of an email address and log into a victim's account.

By exploiting the vulnerability we successfully impersonated a Slashdot (test) account using the (now patched) LinkedIn provider: